flex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Haykel BEN JEMIA <hayke...@gmail.com>
Subject Re: Signed RSL from Apache
Date Mon, 20 Feb 2012 16:00:26 GMT
Talking about security, I think there is nothing being done to prevent
man-in-the-middle for JS libraries hosted by Google for example, so it does
not seem to be an issue even if JS is plain text and easier to manipulate
(I did not hear about such an attack). Is the RSL issue we are talking
about a real issue?


On 20 February 2012 16:47, Paul Evans <paulevans@creative-cognition.co.uk>wrote:

> On 20 Feb 2012, at 15:30, Haykel BEN JEMIA wrote:
> >> Although: I suspect with effort, it is possible for suitably skilled for
> >> man-in-the-middle attacker to intercept the loader SWF and replace the
> >> byte-code storing the MD5 values their own and still inject badLibrary.
> > What about storing the data as an embedded octet-streams instead of
> strings?
> I am not sure that changes very much. If the validation bytes, whether
> stored as a string, octet or otherwise are a static sequence of bytes,
> established when the official library is compiled, then I think our
> notional attackers could match the pattern and substitute their own.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message